mikyll commented on issue #11262: URL: https://github.com/apache/apisix/issues/11262#issuecomment-2720835439
@akshayparseja consider that this behaviour has been around for quite some time, and 2.x.x version is very old, I would say "vintage" 😄 Even though I agree that the jwt-auth plugin shouldn't enforce the presence of `exp` or `nbf` claims **_by default_**, currently this is not configurable. ## Workarounds ### Custom `jwt-auth` You could create a custom version of the `jwt-auth` plugin and do **one of the followings**: - don't pass the `claim_spec` parameter to `jwt:verify_jwt_obj()` function (see [this line](https://github.com/apache/apisix/blob/52d8fea3dbc93c4b59ac6682902955c6146af4ad/apisix/plugins/jwt-auth.lua#L290), with reference to APISIX master branch): ```lua jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj) -- Here core.log.info("jwt object: ", core.json.delay_encode(jwt_obj)) ``` - set `claim_specs.lifetime_grace_period = nil` (see [this line](https://github.com/apache/apisix/blob/52d8fea3dbc93c4b59ac6682902955c6146af4ad/apisix/plugins/jwt-auth.lua#L288), with reference to APISIX master branch): ```lua local claim_specs = jwt:get_default_validation_options(jwt_obj) claim_specs.lifetime_grace_period = nil -- Here ``` #### Explaination The reason it works like that, is because the presence of `require_exp_claim` and `require_nbf_claim` (set by `jwt:get_default_validation_options(jwt_obj)`) and/or `lifetime_grace_period` in `claim_specs`, triggers the [`is_legacy_validation_options`](https://github.com/api7/lua-resty-jwt/blob/6a2dda8915a10fe7d46637d048705a5ee22b9029/lib/resty/jwt.lua#L752C16-L752C44) and makes `exp` or `nbf` required claims (see [this line](https://github.com/api7/lua-resty-jwt/blob/6a2dda8915a10fe7d46637d048705a5ee22b9029/lib/resty/jwt.lua#L723)). ### Custom Dependency `api7-lua-resty-jwt` Another possibility is to edit the code of `api7/lua-resty-jwt`, update the dependency in [`.rockspec`](https://github.com/apache/apisix/blob/master/apisix-master-0.rockspec) file and build APISIX from source (see [APISIX Docs | Building APISIX from source](https://apisix.apache.org/docs/apisix/building-apisix/)). But I think that's an even worse solution 😅 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
